Constant-Size Commitments to Polynomials and Their Applications

Transcription

1 Constant-Size Commitments to Polynomials and Their Applications Aniket Kate 1, Gregory M. Zaverucha 2, and Ian Goldberg 3 1 Max Planck Institute for Software Systems (MPI-SWS) 2 Certicom Research 3 University of Waterloo Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zero-knowledge sets, credentials and content extraction signatures. Keywords: Polynomial Commitments, Verifiable Secret Sharing, Zero-Knowledge Sets, Credentials 1 Introduction Commitment schemes are fundamental components of many cryptographic protocols. A commitment scheme allows a committer to publish a value, called the commitment, which binds her to a message (binding) without revealing it (hiding). Later, she may open the commitment and reveal the committed message to a verifier, who can check that the message is consistent with the commitment. We review three well-known ways a committer can commit to a message. Let g and h be two random generators of a group G of prime order p. The committer can commit to a message m R Z p simply as C g (m) = g m. This scheme is unconditionally binding, and computationally hiding under the assumption that the discrete logarithm (DL) problem is hard in G. The second scheme, known as a Pedersen commitment [31], is of the form C g,h (m, r) = g m h r, where r R Z p. Pedersen commitments are unconditionally hiding, and computationally binding An extended version of this paper is available [24]. This research was completed at the University of Waterloo.

2 under the DL assumption. Third, the committer may publish H(m) or H(m r) for any one-way function H. In practice a collision-resistant hash function is often used. A survey by Damgård [16] covers the commitment schemes in detail. Now consider committing to a polynomial φ(x) R Z p [x], a problem motivated by verifiable secret sharing. Suppose φ(x) has degree t and coefficients φ 0,..., φ t. We could commit to the string (φ 0 φ 1... φ t ), or to some other unambiguous string representation of φ(x). Based on the commitment function used, this option may have a constant size commitment which uniquely determines φ(x). However, it limits the options for opening the commitment; opening must reveal the entire polynomial. This is not always suitable for cryptographic applications, most notably secret sharing, that require evaluations of the polynomial (i.e., φ(i) for i Z p ) be revealed to different parties or at different points in the protocol without revealing the entire polynomial. One solution is to commit to the coefficients, e.g., C = (g φ0,..., g φt ), which allows one to easily confirm that an opening φ(i) for index i is consistent with C. However, this has the drawback that the size of the commitment is now t + 1 elements of G. Our Contributions. The main contribution of this paper is an efficient scheme to commit to polynomials φ(x) Z p [x] over a bilinear pairing group, called PolyCommit DL, with the following features. The size of the commitment is constant, a single group element. The committer can efficiently open the commitment to any correct evaluation φ(i) along with an element called the witness, which allows a verifier to confirm that φ(i) is indeed the evaluation at i of the polynomial φ(x). The construction is based on an algebraic property of polynomials φ(x) Z p [x] that (x i) perfectly divides the polynomial φ(x) φ(i) for any i Z p. The hiding property of the scheme is based on the DL assumption. The binding property of the main scheme is proven under the SDH assumption [6]. Using a technique similar to Pedersen commitments, we also define a stronger commitment scheme PolyCommit Ped, which achieves unconditional hiding and computational binding under the SDH assumption. When a set of evaluations {φ(i) : i S} is opened at the same time, what we term batch opening, the overhead still remains a single witness element. Security of batch opening assumes that the bilinear version of the SDH (BSDH) problem [21] is hard. Further, our schemes are homomorphic and easily randomizable. As in other work on reducing communication costs (e.g., [8]) the global system parameters are somewhat large (O(t) in our case). Reducing communication complexity (i.e., the number of bits transferred) is our goal, and to this end we apply the PolyCommit schemes to the following four applications. First we apply the PolyCommit schemes to the Feldman verifiable secret sharing (VSS) protocol [18]. The new VSS protocol requires a broadcast with size O(1) as compared to O(n) required in the best known protocols in the literature (where n is the number of participants) [18, 31]. Second, we define and use the PolyCommit schemes to construct a relaxed type of zero-knowledge set (ZKS) [27]. A ZKS is a commitment to a set S, such that the committer may prove that i S, or i S without revealing additional information about S, not even S. We define nearly zero-knowledge sets as ZKS

3 that do not attempt to hide the size of the committed set. This is sufficient for most applications of zero-knowledge sets, and our construction has constant size proofs of (non)membership as compared to the best known constructions of ZKS that require non-constant communication [12, 25]. We apply the same relaxation to elementary zero-knowledge databases (ZK-EDB), and achieve constant communication there as well. In the next application we leverage the efficiency of batch opening, by using the PolyCommit schemes in an efficient general construction of a content extraction signature (CES) scheme [35]. A CES scheme allows a signature holder to extract signatures for subsections of the signed message. The general construction, when instantiated with our commitment scheme and a general secure signature scheme, is as efficient as the best known CES scheme, which relies on specific properties of the RSA signature scheme. In the special case when the CES scheme is used to authenticate a list of attributes, the result is a digital credential with an efficient selective show operation. A selective show allows the credential holder to reveal only a subset of the attributes, with proof that the revealed attributes are signed. More precisely, the communication cost of revealing k attributes in a credential with t attributes is O(k), while known credential systems must communicate O(t) bits. We also show how to efficiently prove knowledge of committed values, allowing predicates on attributes to be proven in zero-knowledge (also with complexity O(k)). Outline. In the rest of this section, we compare our contributions with related work (work related to each application is included in the respective subsection). In 2, we cover some preliminary material and describe our cryptographic assumptions. 3 defines polynomial commitments and presents our constructions. 4 is devoted to applications while 5 presents some open problems. Due to space constraints, all security proofs are included in the extended version [24]. Related Work. Similar to our scheme, a Merkle hash tree [26] allows many values to be committed to with a single element. Here, the leaves of a binary tree are the messages. Each non-leaf node has the value H(L R) where L and R are its children, and H is a collision-resistant hash function. One can open the commitment to an individual message by revealing the message, and a path up the tree to the root. The opening has size O(log n) as compared to O(1) in our scheme, where n is the total number of (leaf) elements. Chase et al. [13] introduce mercurial commitments to construct ZKS, which eventually led to the commitment schemes for committing to a vector of messages [12, 25]. Catalano et al. [12], and Libert and Yung [25] construct vector commitment schemes under the name trapdoor t-mercurial commitments. The security of both of these commitment schemes is based on SDH-like assumptions and their system parameters have size O(t), as in our scheme. In [12], all messages must be revealed when opening, while in [25], the committer may open a commitment to a single message. However, in [25], it is not possible to have arbitrary indices for committed messages since each of the t committed messages

4 is associated with a value in the system parameters g αj for j [1, t]. Our scheme have no such restriction on the domain for the indices, offering greater flexibility. Another related primitive is an accumulator [3], which aggregates a large set of input elements into a single element and can provide a witness as evidence that an element is included in the accumulator. Further, it is possible to use a witness to prove (in zero-knowledge) that the element is included in the accumulator. Camenisch and Lysyanskaya [10] extend the concept to dynamic accumulators, which support efficient updates. Au et al. [1] observe that a paring-based accumulator by Nguyen [29] is a bounded accumulator, i.e., only a fixed number of elements can be accumulated. They then go on to use bounded accumulators to construct a compact e-cash scheme [2]. However, the accumulated elements in this scheme are not ordered, which makes it inappropriate for accumulating polynomials. While our PolyCommit schemes provide the same features as nondynamic accumulators, they have additional features (hiding and batch opening) and are more general since we can commit to a polynomial instead of a set. 2 Preliminaries In what follows, all adversaries are probabilistic polynomial time (PPT) algorithms with respect to a security parameter κ expect if stated otherwise. Further, they are static and they have to choose their nodes before protocol instances start. A function ɛ( ) : N R + is called negligible if for all c > 0 there exists a k 0 such that ɛ(k) < 1/k c for all k > k 0. In the rest of the paper, ɛ( ) will always denote a negligible function. We use the notation e : G G G T to denote a symmetric (type 1) bilinear pairing in groups of prime order p 2 2κ. The choice of type 1 pairings was made to simplify presentation, however, our constructions can easily be modified to work with pairings of types 2 and 3 as well. For details of bilinear pairings, see the extended version of the paper. We use the discrete logarithm (DL) assumption [26, Chap. 3], and the t-strong Diffie-Hellman (t-sdh) assumption [6] to prove the security of the PolyCommit DL and PolyCommit Ped schemes. Security of two additional properties of the schemes require a generalization of the t-diffie-hellman inversion (t-dhi) assumption [28, 5], and the bilinear version of t-sdh, the t-bsdh assumption [21]. Definition 1. Discrete logarithm (DL) Assumption. Given a generator g of G, where G = G or G T, and a R Z p, for every adversary A DL, Pr[A DL (g, g a ) = a] = ɛ(κ). Mitsunari, Sakai and Kasahara [28] introduced the weak Diffie-Hellman assumption, which was renamed the t-dhi assumption by Boneh and Boyen [5] as this assumption is stronger than the Diffie-Hellman assumption, especially for large values of t. See Cheon [14] for a security analysis. The t-dhi problem is, on input g, g α,..., g αt G t+1 to output g 1/α, or equivalently (see [7]), g αt+1. In this paper, we use a generalization of the t-dhi assumption, where A has to output a pair φ(x), g φ(α) Z p [x] G such that

5 2 κ > deg(φ) > t. We call this assumption the t-polynomial Diffie-Hellman (tpolydh) assumption. This assumption was implicitly made by [1, 2] to support their claim that the accumulator of [29] is bounded. 4 Definition 2. t-polynomial Diffie-Hellman (t-polydh) Assumption. Let α R Z p. Given as input a (t + 1)-tuple g, g α,..., g αt G t+1, for every adversary A t-polydh, the probability Pr[A t-polydh (g, gα,..., g αt ) = φ(x), g φ(α) ] = ɛ(κ) for any freely chosen φ(x) Z p [x] such that 2 κ > deg(φ) > t. Boneh and Boyen [6] defined the t-sdh assumption that is related to but stronger than the t-dhi assumption and has exponentially many non-trivially different solutions, all of which are acceptable. Definition 3. t-strong Diffie-Hellman (t-sdh) Assumption. Let α R Z p. Given as input a (t + 1)-tuple g, g α,..., g αt G t+1, for every adversary A t-sdh, the probability Pr[A t-sdh (g, gα,..., g αt ) = c, g 1 α+c ] = ɛ(κ) for any value of c Z p \{ α}. Security of the batch opening extension of our commitment schemes requires the bilinear version of the t-sdh assumption, the t-bsdh assumption [21]. Definition 4. t-bilinear Strong Diffie-Hellman (t-bsdh) Assumption. Let α R Z p. Given as input a (t+1)-tuple g, g α,..., g αt G t+1, for every adversary A t-bsdh, the probability Pr[A t-bsdh (g, gα,..., g αt ) = c, e(g, g) 1 α+c ] = ɛ(κ) for any value of c Z p \{ α}. A similar assumption was also made in [22], but with a different solution: c, e(g, h) 1/(α+c), where h R G is an additional system parameter. 3 Polynomial Commitments In this section we provide a formal definition of a polynomial commitment scheme, followed by two constructions. In the first construction the commitments are computationally hiding, while in the second they are unconditionally hiding. We also discuss some useful features of our constructions. 3.1 Definition A polynomial commitment scheme consists of six algorithms: Setup, Commit, Open, VerifyPoly, CreateWitness, and VerifyEval. 4 Note that we bound deg(φ) by 2 κ as evaluations can be found for polynomials with higher degrees in PPT using number theoretic techniques (e.g., for φ(x) = x p 1, g φ(α) = g for any α Z p). In practice, deg(φ) 2 κ.

6 Setup(1 κ, t) generates an appropriate algebraic structure G and a commitment public-private key pair PK, SK to commit to a polynomial of degree t. For simplicity, we add G to the public key PK. Setup is run by a trusted or distributed authority. Note that SK is not required in the rest of the scheme. Commit(PK, φ(x)) outputs a commitment C to a polynomial φ(x) for the public key PK, and some associated decommitment information d. (In some constructions, d is null.) Open(PK, C, φ(x), d) outputs the polynomial φ(x) used while creating the commitment, with decommitment information d. VerifyPoly(PK, C, φ(x), d) verifies that C is a commitment to φ(x), created with decommitment information d. If so it outputs 1, otherwise it outputs 0. CreateWitness(PK, φ(x), i, d) outputs i, φ(i), w i, where w i is a witness for the evaluation φ(i) of φ(x) at the index i and d is the decommitment information. VerifyEval(PK, C, i, φ(i), w i ) verifies that φ(i) is indeed the evaluation at the index i of the polynomial committed in C. If so it outputs 1, otherwise it outputs 0. Note that it is possible to commit to a list of messages (m 1,..., m t+1 ) by associating each to a unique key (index) k 1,..., k t+1 in Z p, and interpolating to find φ(x) Z p [x], such that deg(φ) t and φ(k j ) = m j. In terms of security, a malicious committer should not be able to convincingly present two different values as φ(i) with respect to C. Further, until more than deg(φ) points are revealed, the polynomial should remain hidden. Next, we formally define the security and correctness of a polynomial commitment. Definition 5. (Setup, Commit, Open, VerifyPoly, CreateWitness, and VerifyEval) is a secure polynomial commitment scheme if it satisfies the following properties. Correctness. Let PK Setup(1 κ ) and C Commit(PK, φ(x)). For a commitment C output by Commit(PK, φ(x)), and all φ(x) Z p [x], the output of Open(PK, C, φ(x)) is successfully verified by VerifyPoly(PK, C, φ(x)), and, any i, φ(i), w i output by CreateWitness(PK, φ(x), i) is successfully verified by VerifyEval(PK, C, i, φ(i), w i ). Polynomial Binding. For all adversaries A: PK Setup(1 κ ), (C, φ(x), φ (x) ) A(PK) : Pr VerifyPoly(PK, C, φ(x)) = 1 = ɛ(κ). VerifyPoly(PK, C, φ (x)) = 1 φ(x) φ (x) Evaluation Binding. For all adversaries A: PK Setup(1 κ ), (C, i, φ(i), w i, i, φ(i), w i ) A(PK) : Pr VerifyEval(PK, C, i, φ(i), w i) = 1 VerifyEval(PK, C, i, φ(i), w i) = 1 φ(i) φ(i) = ɛ(κ). Hiding. Given PK, C and { i j, φ(i j ), w φij : j [1, deg(φ)]} for a polynomial φ(x) R Z p [x] such that VerifyEval(PK, C, i j, φ(i j ), w φij ) = 1 for each j,

9 3.4 Features We next discuss some important features of PolyCommit DL and PolyCommit Ped. Homomorphism. In 3.3, we describe that the PolyCommit DL scheme is (additive) homomorphic in nature. In the full version we show that PolyCommit Ped is also homomorphic. Unconditional Hiding for PolyCommit DL. When t < deg(φ) evaluations have been revealed, PolyCommit DL unconditionally hides any unrevealed evaluation, since the t + 1 evaluations α, φ(α), i 1, φ(i 1 ),..., i t, φ(i t ) are insufficient to interpolate a polynomial of degree > t. Note that the evaluation pair α, φ(α) is available in an exponentiated form g α, g φ(α). Indistinguishability of Commitments. When a polynomial commitment scheme is randomized, an unbounded adversary cannot distinguish commitments to chosen sets of key-value pairs. When committing to a set of key-value pairs ( k 1, m 1,..., k t+1, m t+1 ), if indistinguishable PolyCommit DL commitments are required, it is sufficient to set one m i to a random value. On the other hand, the PolyCommit Ped scheme is inherently randomized and can be used directly. Trapdoor Commitment. The constructions are also trapdoor commitment schemes, where SK = α is the trapdoor. Refer to the extended version for details. Batch Opening. In the case when multiple evaluations in a PolyCommit DL commitment must be opened, the opening may be batched to reduce the computation and the communication of both the committer and the verifier; i.e., opening multiple evaluations at the same time is cheaper than opening each of those evaluations individually using CreateWitness and VerifyEval. Let B Z p, B < t be a set of indices to be opened, for a commitment C = g φ(α) created using PolyCommit DL. The witness for the values φ(i), for all i B, is computed as w B = g ψb(α) for the polynomial ψ B (x) = φ(x) r(x) i B (x i) where r(x) is the remainder of the polynomial division φ(x)/( i B (x i)); i.e., φ(x) = ψ B (x) ( i B (x i)) + r(x) and for i B, φ(i) = r(i). We define two algorithms for batch opening. The algorithm CreateWitnessBatch(PK, φ(x), B) outputs B, r(x), w B and the algorithm VerifyEvalBatch(PK, C, B, r(x), w B ) outputs 1 if e(c, g) =? e(g i B (α i), w B )e(g, g r(α) ) holds, deg r(x) = B, and r(i) = φ(i) for all i B. In terms of security, since commitments are formed in the same way as the Commit algorithm of PolyCommit DL and CreateWitnessBatch reveals no more information than running the CreateWitness algorithm of PolyCommit DL for all batch elements individually, the hiding property (Theorem 1) still holds. For binding, an adversary should not be able to open a batch B containing an index i, in a manner that conflicts with the value φ(i) output in an individual opening of index i. Formally, we say that batch opening is binding if the following holds: PK Setup(1 κ, t), (C, B, w B, r(x), i B, w i, φ(i) ) A(PK) : Pr VerifyEvalBatch(PK, C, B, w B, r(x)) = 1 = ɛ(κ). VerifyEval(PK, C, i, w i, φ(i)) = 1 φ(i) r(i)

10 Theorem 3. The construction of CreateWitnessBatch, VerifyEvalBatch in 3.4 is binding provided the t-bsdh assumption holds in G. This theorem is proven in the full version. The batch construction can be modified for PolyCommit Ped due to homomorphic nature of PolyCommit DL. In the full version we also compare the overhead of various commitment schemes, when Alice commits to t values, and then must reveal k of them. Overhead excludes the communication cost of sending the committed values. Notably, the communication overhead of PolyCommit DL is constant when batch opening is used. Strong Correctness. VSS schemes will require an additional property of the PolyCommit scheme: it should not be possible to commit to a polynomial of degree greater than t. This is called the strong correctness property. To define strong correctness for the PolyCommit schemes is not easy, e.g., there are many polynomials φ of degree greater than t such that φ(α) = z R Z p and so g z is trivially a PolyCommit DL commitment to some polynomial of degree t such that 2 κ > t > t. To avoid this triviality, we require that an adversary A must convince a challenger B that he knows φ with the following game. A creates a commitment to a claimed polynomial φ of degree t. B challenges A with t + 1 indices I Z p. A wins if he is able to produce { i, φ(i), w i ) } i I accepted by VerifyEval and that the interpolation (in exponents) of any t + 1 witnesses generates a degree t 1 polynomial. Similarly for PolyCommit Ped. Refer to the extended version of the paper for proof of the following theorem. Theorem 4. PolyCommit DL and PolyCommit Ped have the strong correctness property if the t-polydh assumption holds in G. Practicality and Efficiency Improvements. In absence of a single trusted party, computing Setup can be distributed. Here, SK = α is computed in a distributed form (i.e., shared by multiple parties forming a distributed authority) using the concept of distributed key generation [31]. PK is computed using a distributed multiplication protocol [20]. As we do not require SK during our protocols and as anybody can verify the correctness of PK using pairings, it is possible to consider PK as a global reusable set, shared in many systems. Further, the exponentiations required when committing and creating witnesses can be trivially parallelized. Also, since C = g φ(α) is computed as a product of powers (sometimes called a multi-exponentiation), we suggest using fast exponentiation techniques [32] instead of a naïve implementation. It is also possible to precompute e(c, g) and e(g, g) for use during verification. 4 Applications In this section, we describe applications of our commitment schemes to verifiable secret sharing ( 4.1), zero-knowledge sets and elementary databases ( 4.2), and selective disclosure of signed data and credentials ( 4.3).

11 4.1 Verifiable Secret Sharing (VSS) For integers n and t such that n > t 0, an (n, t)-secret sharing scheme [34, 4] is a method used by a dealer P d to share a secret s among a set of n participants (the sharing Sh phase) in such a way that in the reconstruction Rec phase any subset of t + 1 or more honest participants can compute the secret s, but subsets of size t or fewer cannot. Furthermore, in secret sharing, nodes may need a procedure to verify the correctness of the dealt values in order to prevent malicious behaviour by the dealer. To solve this problem, Chor et al. [15] introduced verifiability in secret sharing, which led to the concept of verifiable secret sharing (VSS). VSS schemes have two security requirements: secrecy and correctness. Secrecy (VSS-S). A t-limited adversary who compromises t nodes cannot compute s during the Sh phase. Correctness (VSS-C). The reconstructed value should be equal to the shared secret s or every honest node concludes that the dealer is malicious by outputting. In the computational complexity setting, any malicious behaviour by P d is caught by the honest nodes in the Sh phase itself and the VSS-C property simplifies to the following: the reconstructed value should be equal to the shared secret s. Many VSS applications requires that broadcasts from any t + 1 honest nodes or any 2t+1 nodes is sufficient to reconstruct s. Therefore, along with VSS-S and VSS-C, we mandate the correctness property that we refer as the strong correctness property. Further, some VSS schemes achieve a stronger secrecy guarantee. Strong Correctness (VSS-SC). The same unique value s is reconstructed regardless of the subset of nodes (of size greater than 2t) chosen by the adversary in the Rec algorithm. Strong Secrecy (VSS-SS). The adversary who compromises t nodes have no more information about s except what is implied by the public parameters. Feldman [18] developed the first efficient VSS protocol, which forms the basis of all VSS schemes defined in the literature. In the literature, the discrete logarithm commitment or Pedersen commitment is used in the Feldman VSS achieve the binding (correctness) and the hiding (secrecy) properties. Both of these commitment schemes trivially satisfy the strong correctness (VSS-SC) property of VSS by the fact that the size of a commitment to a polynomial φ(x) Z p [x] is equal to deg(φ) + 1, which is O(n) (since for optimal resiliency, deg(φ) = t = n 1 2 ). However, the commitment to a polynomial has to be broadcast to all nodes, which results in a linear-size broadcast for Feldman VSS and their variants and a linear complexity gap between the message and the bit complexities. Our goal is to close this gap using any of the PolyCommit schemes. Next, we apply PolyCommit DL to existing polynomial-based VSS schemes and reduce the broadcast message size of VSS by a linear factor, making it equal to the message complexity. Although PolyCommit DL can be used in any univariate polynomial-based scheme, we choose the Feldman VSS for ease of exposition.

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

1 Dealing Cards in Poker Games Philippe Golle Palo Alto Research Center pgolle@parc.com Abstract This paper proposes a new protocol for shuffling and dealing cards, that is designed specifically for games

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

Group Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the

Social Secret Sharing in Cloud Computing Using a New Trust Function Mehrdad Nojoumian and Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario N2L 3G1,

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

A New Class of Public Key Cryptosystems Constructed Based on Reed-Solomon Codes, K(XII)SEPKC. Along with a presentation of K(XII)SEPKC over the extension field F 2 8 extensively used for present day various

A New Receipt-Free E-Voting Scheme Based on Blind Signature (Abstract) Zhe Xia University of Surrey z.xia@surrey.ac.uk Steve Schneider University of Surrey s.schneider@surrey.ac.uk May 25, 2006 Abstract

To appear in Proceedings of the Fourth Annual Conference on Computer and Communications Security, ACM, 1997. Earlier version was Technical Report CS95-447, Department of Computer Science and Engineering,

Privacy-Preserving Set Operations Lea Kissner and Dawn Song Carnegie Mellon University Abstract In many important applications, a collection of mutually distrustful parties must perform private computation

Batch Decryption of ncrypted Short Messages and Its Application on Concurrent SSL Handshakes Yongdong Wu and Feng Bao System and Security Department Institute for Infocomm Research 21, Heng Mui Keng Terrace,